Accenture reported to ZDNet that they “closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system.”

Other Incidents of Lax Cloud Protection

Accenture isn’t the only organization to be in the news recently regarding security of their cloud data.

ZDNet recently reported about an Israeli technology company who exposed millions of Verizon customer records by storing this data on an unprotected Amazon S3 storage server. Verizon said it was investigating how its customer data was improperly stored on the AWS server as “part of an authorized and ongoing project” to improve its customer service. Verizon said the vendor’s employee incorrectly set their AWS storage to allow external access.

The very ease with which almost anyone in an organization can setup storage in the cloud is a big reason why security could be lax. There is a real potential that cloud storage setup is not receiving the same scrutiny and process control as on-premise applications.

“It’s astonishing how many security-conscious organizations seem to lack basic security controls for cloud servers. There’s a reason that most users can’t unilaterally setup their own servers in a corporate data center – they need to be secured, managed, and governed. But almost anyone can setup a server in Amazon, Azure or other cloud servers, and expose sensitive data. The cloud can provide robust infrastructure, but the responsibility for securing data and sensitive apps still rests squarely with the organization.”

“And this is the worrying point – the buckets have been configured to allow public access. The default public permissions when creating a bucket are “Do not grant public read access to this bucket” – helpfully accompanied with “Recommended” in brackets. Someone has chosen to change the permissions and it’s tough to explain this away as an accident.”

As in the Verizon and RNC cases, third parties such as vendors often have access to an organization’s data and may have less rigorous controls and processes in place around data protection.

Insider threats are another potential security risk within cloud environments as well. The Cloud Security Alliance lists malicious insiders as one of their top 12 cloud computing threats, stating “in a cloud scenario, a hellbent insider can destroy whole infrastructures or manipulate data.”

To mitigate against the possibility of insider threats, organizations should employ threat detection software that actively listens for suspicious activity such as file transfers, privileged user actions, and website and email monitoring.

Marianna Noll is a Maryland-based writer with an interest in the impact that technology has on organizations and users. She writes about software, user adoption and engagement with software, and IT security.

Posts created: 105

Previous articleHow to Keep Your IoT Devices Safe

Next articleAnother Equifax Breach? New Concerns of Second Leak Have Equifax Reeling Again